Online marketer tapped browser flaw to see if visitors were pregnant

An advertising network that served banners on cnn.com, orbitz.com, and 45,000 other sites has settled federal charges that it illegally exploited a decade-old browser flaw that leaks the history of websites users visit.

Epic Marketplace settled the charges by agreeing to destroy the data it gathered and to curb the practice in the future, according to a release issued on Wednesday. The settlement also bars the company from making misrepresentations about the data it collects about people browsing the Web.

Until about two years ago, a weakness built into every major browser made it trivial for websites to compile detailed lists of other webpages viewed by their visitors. The sniffing technique worked by analyzing the color of links browsers use to show which URLs a user already clicked on. Mozilla Firefox was the first major browser to plug the leak. All other major browser makers have since followed suit.

Epic Marketplace isn't the only Web company accused of exploiting the vulnerability. In 2010, researchers at the University of California at San Diego said they caught YouPorn.com and 45 other sites pilfering users' browser history to determine if they visited other pornographic sites. Browser history attacks typically deploy JavaScript to analyze CSS settings in a browser.

I wouldn't say it was "trivial" to collect data. It didn't provide direct access to browser history; instead, you had to try specific URLs and you could tell if it had been visited or not. So it was obviously a problem, but websites couldn't sniff your whole history, nor could they know when you visited the site; they could only tell that you did at some point.

It was trivial to collect this data because the JavaScript for this exploit has been circulating on the net for years. So including this attack on a website is literally a cut and paste exercise.

22 Reader Comments

I wouldn't say it was "trivial" to collect data. It didn't provide direct access to browser history; instead, you had to try specific URLs and you could tell if it had been visited or not. So it was obviously a problem, but websites couldn't sniff your whole history, nor could they know when you visited the site; they could only tell that you did at some point.

In 2010, researchers at the University of California at San Diego said they caught YouPorn.com and 45 other sites pilfering users' browser history to determine if they visited other pornographic sites.

I'm fairly certain, and I could be wrong, but if you're on YouPorn's site you've most likely visited other sites of such ilk as well. A lot.

I'd suggest using Ghostery in addition to Adblock. Not only do you get more privacy, but it is simply amazing to see how many companies are trying to sniff your browser. It even detects Piwik these days, though that is not a 3rd party sniffer.

I'd suggest using Ghostery in addition to Adblock. Not only do you get more privacy, but it is simply amazing to see how many companies are trying to sniff your browser. It even detects Piwik these days, though that is not a 3rd party sniffer.

Interesting post. I normally run both those programs but I have them whitelisted on Ars as a courtesy. Ghostery is reporting 11 trackers on this site. I suppose I have a couple questions and hope someone could answer them.

First. When you subscribe to Ars one of the perks is that you don't see adds. That would negate the AdBlock needs for some. Does that also disable the trackers?

Second. I suppose the answer is 'Yes' but I'm not clear on this. Does the use of a program such as Ghostery deny revenue to Ars as a whole? How does that work? I suppose one aspect is tracking click throughs but if anyone has any hard information, I'd be interested to know.

I wouldn't say it was "trivial" to collect data. It didn't provide direct access to browser history; instead, you had to try specific URLs and you could tell if it had been visited or not. So it was obviously a problem, but websites couldn't sniff your whole history, nor could they know when you visited the site; they could only tell that you did at some point.

NOTE:• These websites were sniffing thousands of websites at a time, with lists that were only machine-readable transmitted with a visible web page.• Not all of the millions of websites out there are equally popular... There's a probability distribution there.• Different websites in history tell you different amounts of information about a person... Some tell you a lot more about a person than others.• Each person typically visits dozens/hundreds of distinct websites in a month/year.—If you have a decent intuitive understanding of statistics and probability theory, you will be able to combine all these facts into an overall conclusion: this practice was not only wrong, but it was a real problem for privacy etc. This was a major vulnerability in everyone's privacy, and it was exploited on a large scale.

Do I trust the company to DELETE the data? No! If past experience is anything to go by, they'll sell it on and THEN "delete" it... And someone will get rich, and won't be punished because they have connections... They need to have some regulators breathing down their necks, until they get so tired of it that they will REALLY comply and REALLY not do it again!

I wouldn't say it was "trivial" to collect data. It didn't provide direct access to browser history; instead, you had to try specific URLs and you could tell if it had been visited or not. So it was obviously a problem, but websites couldn't sniff your whole history, nor could they know when you visited the site; they could only tell that you did at some point.

It was trivial to collect this data because the JavaScript for this exploit has been circulating on the net for years. So including this attack on a website is literally a cut and paste exercise.

I'd suggest using Ghostery in addition to Adblock. Not only do you get more privacy, but it is simply amazing to see how many companies are trying to sniff your browser. It even detects Piwik these days, though that is not a 3rd party sniffer.

I agree and there are 10 different trackers on this page according to Ghostery.

Interesting post. I normally run both those programs but I have them whitelisted on Ars as a courtesy. Ghostery is reporting 11 trackers on this site. I suppose I have a couple questions and hope someone could answer them.

First. When you subscribe to Ars one of the perks is that you don't see adds. That would negate the AdBlock needs for some. Does that also disable the trackers?

No it does not. As a subscriber I see all the same trackers whether I am logged in or not.

Quote:

Second. I suppose the answer is 'Yes' but I'm not clear on this. Does the use of a program such as Ghostery deny revenue to Ars as a whole? How does that work? I suppose one aspect is tracking click throughs but if anyone has any hard information, I'd be interested to know.

My understanding is that ad revenue is related to ad impressions and (to a lesser extent) click-through, and that the trackers do not have any direct impact on that (although ad images themselves allow tracking Ghostery lets them through, so the advertizing company should know how many people are viewing them). The various trackers on Ars are there to provide more analytics about the site visitors which could be used to attract advertisers (among other things) so I suppose it could have an indirect effect on revenue.

I'd suggest using Ghostery in addition to Adblock. Not only do you get more privacy, but it is simply amazing to see how many companies are trying to sniff your browser. It even detects Piwik these days, though that is not a 3rd party sniffer.

Interesting post. I normally run both those programs but I have them whitelisted on Ars as a courtesy. Ghostery is reporting 11 trackers on this site.

Likewise, I whitelist Ars in AdBlock Plus, but NoScript takes care of the rest. Again, Ars itself is whitelisted in Noscript.

That's not a browser flaw. It's an unintended consequence of following the HTML/CSS specifications. If you want to say something is flawed it's the spec, not the browsers.

Seems to me the flaw was in the browser's implementation of this feature, particularly since browser makers have fixed the weakness without any spec being rewritten.

No, it's a problem with the spec. That's the reason it took so long before there were changes in browsers. The question was: How much of the specification's functionality do we have to remove to make the attack so difficult that it becomes impractical, while minimising visible changes to existing websites?